[lxc-users] subuids and subgid range with multiple LXC containers

Benoit GEORGELIN - Association Web4all benoit.georgelin at web4all.fr
Wed Mar 29 02:46:40 UTC 2017


----- Mail original -----
> De: "Serge E. Hallyn" <serge at hallyn.com>
> À: "lxc-users" <lxc-users at lists.linuxcontainers.org>
> Envoyé: Mardi 28 Mars 2017 21:07:08
> Objet: Re: [lxc-users] subuids and subgid range with multiple LXC	containers

> On Wed, Mar 29, 2017 at 07:35:15AM +0700, Fajar A. Nugraha wrote:
> > On Wed, Mar 29, 2017 at 4:20 AM, Serge E. Hallyn <serge at hallyn.com> wrote:

> > > Quoting BIGOT Adrien (adrien.bigot at smile.fr):
> > > > Hello,

> > > > Actually hosting many containers (2000+) with OpenVZ technology, we
> > > > want to move to LXC/LXD.
> > > > The goal is to host up to 20 unprivilegied containers per
> > > > hypervisor. I'd like to know if there is some best practice
> > > > regarding subuid and subgid in particular if we must have one range
> > > > of subuid/subgid per containers or not.




> > > It's been discussed a few times, but I can't be bothered to find
> > > links :) General guidance is if the containers are working together
> > > you can have them share uid ranges. If they belong to different
> > > groups, or if you want to prevent all chances of one container
> > > subverting another, then give them different ranges.



> > ... and if you're feeling lazy:
> > - allocate large-enough [ug]id range for root and lxd on /etc/sub[ug]id
> > - use newer lxd (e.g. from
> > https://launchpad.net/~ubuntu-lxc/+archive/ubuntu/stable)
> > - set security.idmap.isolated true (
> > https://github.com/lxc/lxd/blob/master/doc/userns-idmap.md#different-idmaps-per-container
> > )

> > It should automatically assign unique [ug]id range for each container with
> > minimal manual setup.

> One thing I've always thought would be useful, but not had the time to
> pursue, woudl be to have a concept of 'clients' or somesuch, where each
> client can get one or more unique ranges. They can then use those
> ranges however they want, but no other clients will ever get their
> rnages.

That's the way I always tough about LXD and the future with multi-tenant ;)
You are an unprivileged user A , you can SSH to the control-host , manage your, and only your containers.


More information about the lxc-users mailing list